27999b6fd8df4c1c8e8a59d2bc0be3c8fea4aec44cc5d6b40ec0f9cde67b2af0

Analysis

max time kernel
114s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 13:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7a7a4f1c716bfcec7970f5d821622e90N.exe
Size

64KB
MD5

7a7a4f1c716bfcec7970f5d821622e90
SHA1

e9ba27a6dded4cc36f6b74f1b299fb894bc81527
SHA256

27999b6fd8df4c1c8e8a59d2bc0be3c8fea4aec44cc5d6b40ec0f9cde67b2af0
SHA512

11526f2b1c0bc17773b7105aeda843e57e0d6dc22abc977b03cec00f9f5a63b3fa3cfa59cdb6e2778e6171738c3be21b239fc303e4631b3e7c189d155c13fae7
SSDEEP

768:CuxFXdyweJZjZJelAgkD0PEBlbDRdYezSziU9x9Q/1H5OXdnhgPD4/DiHs9WqRxs:CQNeJZFEXhPEBlHYeeziUg+zDfWqc

Score

10^/10

discovery persistence

Malware Config

Signatures

Adds autorun key to be loaded by Explorer.exe on startup 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pokanf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Lkcccn32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Maoifh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okmpqjad.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okfbgiij.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pcbdcf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nooikj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okceaikl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Afnlpohj.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	7a7a4f1c716bfcec7970f5d821622e90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nakhaf32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ofijnbkb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mdnebc32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nfknmd32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ocfdgg32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Obkahddl.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pmoagk32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pkklbh32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Okailj32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pilpfm32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Pfbmdabh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Mkocol32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nkapelka.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndlacapp.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nlcidopb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ndpjnq32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qppkhfec.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pbljoafi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ldkhlcnb.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Nkapelka.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Nefdbekh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ndpjnq32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohhfknjf.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pdngpo32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Qkfkng32.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ohncdobq.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Pfeijqqe.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad	Amfhgj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\ShellServiceObjectDelayLoad\Web Event Logger = "{79FEACFF-FFCE-815E-A900-316290B5B738}"	Ncjdki32.exe

Executes dropped EXE 61 IoCs

pid	Process
212	Lkcccn32.exe
408	Ldkhlcnb.exe
4232	Mlbpma32.exe
4292	Maoifh32.exe
2440	Mdnebc32.exe
2380	Mkocol32.exe
4028	Mdghhb32.exe
2028	Nkapelka.exe
4744	Nakhaf32.exe
3208	Nefdbekh.exe
3320	Nooikj32.exe
2288	Ncjdki32.exe
2896	Ndlacapp.exe
312	Nlcidopb.exe
4092	Napameoi.exe
4076	Nfknmd32.exe
3648	Nkhfek32.exe
2628	Nconfh32.exe
4484	Ndpjnq32.exe
2788	Nkjckkcg.exe
4324	Ohncdobq.exe
2364	Okmpqjad.exe
1316	Ocdgahag.exe
3096	Ohqpjo32.exe
2980	Ookhfigk.exe
2436	Ocfdgg32.exe
764	Odgqopeb.exe
2764	Okailj32.exe
5064	Obkahddl.exe
2044	Oheienli.exe
3632	Okceaikl.exe
404	Ofijnbkb.exe
2656	Ohhfknjf.exe
2080	Okfbgiij.exe
2796	Ocmjhfjl.exe
1492	Pdngpo32.exe
4356	Pmeoqlpl.exe
1912	Podkmgop.exe
3952	Pfncia32.exe
5024	Pilpfm32.exe
752	Pkklbh32.exe
4548	Pcbdcf32.exe
1680	Piolkm32.exe
1772	Pkmhgh32.exe
1500	Pfbmdabh.exe
788	Piaiqlak.exe
3680	Pokanf32.exe
1480	Pfeijqqe.exe
4220	Pmoagk32.exe
3600	Pomncfge.exe
3976	Pbljoafi.exe
5096	Qejfkmem.exe
2268	Qppkhfec.exe
1916	Qbngeadf.exe
2720	Qihoak32.exe
4988	Qkfkng32.exe
348	Aflpkpjm.exe
2832	Amfhgj32.exe
2144	Apddce32.exe
4272	Afnlpohj.exe
1548	Amhdmi32.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\Nkhfek32.exe	Nfknmd32.exe
File created	C:\Windows\SysWOW64\Khhmbdka.dll	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Gckjdhni.dll	Aflpkpjm.exe
File created	C:\Windows\SysWOW64\Nlcidopb.exe	Ndlacapp.exe
File created	C:\Windows\SysWOW64\Qbngeadf.exe	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Podkmgop.exe	Pmeoqlpl.exe
File opened for modification	C:\Windows\SysWOW64\Ncjdki32.exe	Nooikj32.exe
File created	C:\Windows\SysWOW64\Pqoppk32.dll	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Oimlepla.dll	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Eobdnbdn.dll	Okfbgiij.exe
File created	C:\Windows\SysWOW64\Fpqifh32.dll	Ookhfigk.exe
File opened for modification	C:\Windows\SysWOW64\Pmeoqlpl.exe	Pdngpo32.exe
File created	C:\Windows\SysWOW64\Cbgabh32.dll	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Okailj32.exe	Odgqopeb.exe
File opened for modification	C:\Windows\SysWOW64\Okceaikl.exe	Oheienli.exe
File opened for modification	C:\Windows\SysWOW64\Ohhfknjf.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Qppkhfec.exe	Qejfkmem.exe
File created	C:\Windows\SysWOW64\Fogpoiia.dll	7a7a4f1c716bfcec7970f5d821622e90N.exe
File created	C:\Windows\SysWOW64\Ndlacapp.exe	Ncjdki32.exe
File created	C:\Windows\SysWOW64\Nkjckkcg.exe	Ndpjnq32.exe
File opened for modification	C:\Windows\SysWOW64\Oheienli.exe	Obkahddl.exe
File created	C:\Windows\SysWOW64\Kncgmcgd.dll	Obkahddl.exe
File created	C:\Windows\SysWOW64\Odlpkg32.dll	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Qejfkmem.exe	Pbljoafi.exe
File opened for modification	C:\Windows\SysWOW64\Qbngeadf.exe	Qppkhfec.exe
File opened for modification	C:\Windows\SysWOW64\Mkocol32.exe	Mdnebc32.exe
File created	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File created	C:\Windows\SysWOW64\Fpjepamq.dll	Mlbpma32.exe
File opened for modification	C:\Windows\SysWOW64\Okailj32.exe	Odgqopeb.exe
File created	C:\Windows\SysWOW64\Paajfjdm.dll	Oheienli.exe
File created	C:\Windows\SysWOW64\Ohhfknjf.exe	Ofijnbkb.exe
File created	C:\Windows\SysWOW64\Aofbkbfe.dll	Podkmgop.exe
File created	C:\Windows\SysWOW64\Pkklbh32.exe	Pilpfm32.exe
File created	C:\Windows\SysWOW64\Pomncfge.exe	Pmoagk32.exe
File opened for modification	C:\Windows\SysWOW64\Maoifh32.exe	Mlbpma32.exe
File opened for modification	C:\Windows\SysWOW64\Qkfkng32.exe	Qihoak32.exe
File opened for modification	C:\Windows\SysWOW64\Pomncfge.exe	Pmoagk32.exe
File created	C:\Windows\SysWOW64\Ocfdgg32.exe	Ookhfigk.exe
File created	C:\Windows\SysWOW64\Piaiqlak.exe	Pfbmdabh.exe
File opened for modification	C:\Windows\SysWOW64\Apddce32.exe	Amfhgj32.exe
File created	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File opened for modification	C:\Windows\SysWOW64\Amhdmi32.exe	Afnlpohj.exe
File created	C:\Windows\SysWOW64\Maoifh32.exe	Mlbpma32.exe
File created	C:\Windows\SysWOW64\Nkapelka.exe	Mdghhb32.exe
File created	C:\Windows\SysWOW64\Ipiddlhk.dll	Nkapelka.exe
File created	C:\Windows\SysWOW64\Nooikj32.exe	Nefdbekh.exe
File created	C:\Windows\SysWOW64\Jgedpmpf.dll	Napameoi.exe
File created	C:\Windows\SysWOW64\Kpmmhc32.dll	Ocdgahag.exe
File created	C:\Windows\SysWOW64\Pfeijqqe.exe	Pokanf32.exe
File opened for modification	C:\Windows\SysWOW64\Qihoak32.exe	Qbngeadf.exe
File created	C:\Windows\SysWOW64\Ldkhlcnb.exe	Lkcccn32.exe
File opened for modification	C:\Windows\SysWOW64\Afnlpohj.exe	Apddce32.exe
File opened for modification	C:\Windows\SysWOW64\Aflpkpjm.exe	Qkfkng32.exe
File created	C:\Windows\SysWOW64\Ookhfigk.exe	Ohqpjo32.exe
File created	C:\Windows\SysWOW64\Pilpfm32.exe	Pfncia32.exe
File created	C:\Windows\SysWOW64\Pcbdcf32.exe	Pkklbh32.exe
File opened for modification	C:\Windows\SysWOW64\Pcbdcf32.exe	Pkklbh32.exe
File created	C:\Windows\SysWOW64\Hlkjom32.dll	Qppkhfec.exe
File created	C:\Windows\SysWOW64\Nefdbekh.exe	Nakhaf32.exe
File created	C:\Windows\SysWOW64\Jjonchmn.dll	Nooikj32.exe
File opened for modification	C:\Windows\SysWOW64\Ohncdobq.exe	Nkjckkcg.exe
File opened for modification	C:\Windows\SysWOW64\Ocdgahag.exe	Okmpqjad.exe

System Location Discovery: System Language Discovery 1 TTPs 62 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfncia32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nfknmd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Odgqopeb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmeoqlpl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfeijqqe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pomncfge.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aflpkpjm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nefdbekh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohqpjo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohhfknjf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piolkm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkmhgh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nlcidopb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okmpqjad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocfdgg32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pdngpo32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pkklbh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkapelka.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Oheienli.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amfhgj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qbngeadf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ookhfigk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pfbmdabh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qppkhfec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Podkmgop.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pokanf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Apddce32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mlbpma32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdghhb32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndpjnq32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pcbdcf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Maoifh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okceaikl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okfbgiij.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qihoak32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Afnlpohj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ncjdki32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ofijnbkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qejfkmem.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkjckkcg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pilpfm32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7a7a4f1c716bfcec7970f5d821622e90N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mdnebc32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ndlacapp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Lkcccn32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ldkhlcnb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nakhaf32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocmjhfjl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Qkfkng32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nkhfek32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ocdgahag.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Obkahddl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ohncdobq.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Piaiqlak.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Okailj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pbljoafi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mkocol32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nooikj32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Nconfh32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Napameoi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Pmoagk32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Amhdmi32.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocdgahag.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pdngpo32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Amfhgj32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkapelka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ookhfigk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Mkbdql32.dll"	Okceaikl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmeoqlpl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pmejnpqp.dll"	Qbngeadf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fpjepamq.dll"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	7a7a4f1c716bfcec7970f5d821622e90N.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mdghhb32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Gipjam32.dll"	Nkjckkcg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okmpqjad.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Hkidlkmq.dll"	Ohhfknjf.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fogpoiia.dll"	7a7a4f1c716bfcec7970f5d821622e90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kkpdnm32.dll"	Piaiqlak.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nconfh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Podkmgop.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Maoifh32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkmhgh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Apddce32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Odpldj32.dll"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ohncdobq.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Inkqjp32.dll"	Okailj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Jknmpb32.dll"	Pomncfge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qppkhfec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nooikj32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Nakhaf32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Debaqh32.dll"	Ocmjhfjl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pkklbh32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qihoak32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Napameoi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Kncgmcgd.dll"	Obkahddl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Oheienli.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Pqoppk32.dll"	Ofijnbkb.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}	7a7a4f1c716bfcec7970f5d821622e90N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mdghhb32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Odgqopeb.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ncloojfj.dll"	Pfncia32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Piaiqlak.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Mkocol32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ndlacapp.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Nkhfek32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Fflnkhef.dll"	Pilpfm32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Qejfkmem.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Ncjdki32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocfdgg32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Paajfjdm.dll"	Oheienli.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Okceaikl.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ocmjhfjl.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Pmoagk32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Aflpkpjm.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Mlbpma32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ = "C:\\Windows\\SysWow64\\Ipiddlhk.dll"	Nkapelka.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32	Ncjdki32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{79FEACFF-FFCE-815E-A900-316290B5B738}\InProcServer32\ThreadingModel = "Apartment"	Okceaikl.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1048 wrote to memory of 212	1048	7a7a4f1c716bfcec7970f5d821622e90N.exe	90
PID 1048 wrote to memory of 212	1048	7a7a4f1c716bfcec7970f5d821622e90N.exe	90
PID 1048 wrote to memory of 212	1048	7a7a4f1c716bfcec7970f5d821622e90N.exe	90
PID 212 wrote to memory of 408	212	Lkcccn32.exe	91
PID 212 wrote to memory of 408	212	Lkcccn32.exe	91
PID 212 wrote to memory of 408	212	Lkcccn32.exe	91
PID 408 wrote to memory of 4232	408	Ldkhlcnb.exe	92
PID 408 wrote to memory of 4232	408	Ldkhlcnb.exe	92
PID 408 wrote to memory of 4232	408	Ldkhlcnb.exe	92
PID 4232 wrote to memory of 4292	4232	Mlbpma32.exe	93
PID 4232 wrote to memory of 4292	4232	Mlbpma32.exe	93
PID 4232 wrote to memory of 4292	4232	Mlbpma32.exe	93
PID 4292 wrote to memory of 2440	4292	Maoifh32.exe	94
PID 4292 wrote to memory of 2440	4292	Maoifh32.exe	94
PID 4292 wrote to memory of 2440	4292	Maoifh32.exe	94
PID 2440 wrote to memory of 2380	2440	Mdnebc32.exe	95
PID 2440 wrote to memory of 2380	2440	Mdnebc32.exe	95
PID 2440 wrote to memory of 2380	2440	Mdnebc32.exe	95
PID 2380 wrote to memory of 4028	2380	Mkocol32.exe	97
PID 2380 wrote to memory of 4028	2380	Mkocol32.exe	97
PID 2380 wrote to memory of 4028	2380	Mkocol32.exe	97
PID 4028 wrote to memory of 2028	4028	Mdghhb32.exe	98
PID 4028 wrote to memory of 2028	4028	Mdghhb32.exe	98
PID 4028 wrote to memory of 2028	4028	Mdghhb32.exe	98
PID 2028 wrote to memory of 4744	2028	Nkapelka.exe	100
PID 2028 wrote to memory of 4744	2028	Nkapelka.exe	100
PID 2028 wrote to memory of 4744	2028	Nkapelka.exe	100
PID 4744 wrote to memory of 3208	4744	Nakhaf32.exe	101
PID 4744 wrote to memory of 3208	4744	Nakhaf32.exe	101
PID 4744 wrote to memory of 3208	4744	Nakhaf32.exe	101
PID 3208 wrote to memory of 3320	3208	Nefdbekh.exe	102
PID 3208 wrote to memory of 3320	3208	Nefdbekh.exe	102
PID 3208 wrote to memory of 3320	3208	Nefdbekh.exe	102
PID 3320 wrote to memory of 2288	3320	Nooikj32.exe	103
PID 3320 wrote to memory of 2288	3320	Nooikj32.exe	103
PID 3320 wrote to memory of 2288	3320	Nooikj32.exe	103
PID 2288 wrote to memory of 2896	2288	Ncjdki32.exe	104
PID 2288 wrote to memory of 2896	2288	Ncjdki32.exe	104
PID 2288 wrote to memory of 2896	2288	Ncjdki32.exe	104
PID 2896 wrote to memory of 312	2896	Ndlacapp.exe	105
PID 2896 wrote to memory of 312	2896	Ndlacapp.exe	105
PID 2896 wrote to memory of 312	2896	Ndlacapp.exe	105
PID 312 wrote to memory of 4092	312	Nlcidopb.exe	107
PID 312 wrote to memory of 4092	312	Nlcidopb.exe	107
PID 312 wrote to memory of 4092	312	Nlcidopb.exe	107
PID 4092 wrote to memory of 4076	4092	Napameoi.exe	108
PID 4092 wrote to memory of 4076	4092	Napameoi.exe	108
PID 4092 wrote to memory of 4076	4092	Napameoi.exe	108
PID 4076 wrote to memory of 3648	4076	Nfknmd32.exe	109
PID 4076 wrote to memory of 3648	4076	Nfknmd32.exe	109
PID 4076 wrote to memory of 3648	4076	Nfknmd32.exe	109
PID 3648 wrote to memory of 2628	3648	Nkhfek32.exe	110
PID 3648 wrote to memory of 2628	3648	Nkhfek32.exe	110
PID 3648 wrote to memory of 2628	3648	Nkhfek32.exe	110
PID 2628 wrote to memory of 4484	2628	Nconfh32.exe	111
PID 2628 wrote to memory of 4484	2628	Nconfh32.exe	111
PID 2628 wrote to memory of 4484	2628	Nconfh32.exe	111
PID 4484 wrote to memory of 2788	4484	Ndpjnq32.exe	112
PID 4484 wrote to memory of 2788	4484	Ndpjnq32.exe	112
PID 4484 wrote to memory of 2788	4484	Ndpjnq32.exe	112
PID 2788 wrote to memory of 4324	2788	Nkjckkcg.exe	113
PID 2788 wrote to memory of 4324	2788	Nkjckkcg.exe	113
PID 2788 wrote to memory of 4324	2788	Nkjckkcg.exe	113
PID 4324 wrote to memory of 2364	4324	Ohncdobq.exe	114

C:\Users\Admin\AppData\Local\Temp\7a7a4f1c716bfcec7970f5d821622e90N.exe
"C:\Users\Admin\AppData\Local\Temp\7a7a4f1c716bfcec7970f5d821622e90N.exe"
1⤵
- Adds autorun key to be loaded by Explorer.exe on startup
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1048
- C:\Windows\SysWOW64\Lkcccn32.exe
  C:\Windows\system32\Lkcccn32.exe
  2⤵
  - Adds autorun key to be loaded by Explorer.exe on startup
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:212
- - C:\Windows\SysWOW64\Ldkhlcnb.exe
    C:\Windows\system32\Ldkhlcnb.exe
    3⤵
    - Adds autorun key to be loaded by Explorer.exe on startup
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:408
  - - C:\Windows\SysWOW64\Mlbpma32.exe
      C:\Windows\system32\Mlbpma32.exe
      4⤵
      Adds autorun key to be loaded by Explorer.exe on startup
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\Maoifh32.exe
        
        C:\Windows\system32\Maoifh32.exe
        5⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4292
      - C:\Windows\SysWOW64\Mdnebc32.exe
        
        C:\Windows\system32\Mdnebc32.exe
        6⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\SysWOW64\Mkocol32.exe
        
        C:\Windows\system32\Mkocol32.exe
        7⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\SysWOW64\Mdghhb32.exe
        
        C:\Windows\system32\Mdghhb32.exe
        8⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4028
        
        C:\Windows\SysWOW64\Nkapelka.exe
        
        C:\Windows\system32\Nkapelka.exe
        9⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\SysWOW64\Nakhaf32.exe
        
        C:\Windows\system32\Nakhaf32.exe
        10⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4744
        
        C:\Windows\SysWOW64\Nefdbekh.exe
        
        C:\Windows\system32\Nefdbekh.exe
        11⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3208
        
        C:\Windows\SysWOW64\Nooikj32.exe
        
        C:\Windows\system32\Nooikj32.exe
        12⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3320
        
        C:\Windows\SysWOW64\Ncjdki32.exe
        
        C:\Windows\system32\Ncjdki32.exe
        13⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\SysWOW64\Ndlacapp.exe
        
        C:\Windows\system32\Ndlacapp.exe
        14⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2896
        
        C:\Windows\SysWOW64\Nlcidopb.exe
        
        C:\Windows\system32\Nlcidopb.exe
        15⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:312
        
        C:\Windows\SysWOW64\Napameoi.exe
        
        C:\Windows\system32\Napameoi.exe
        16⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4092
        
        C:\Windows\SysWOW64\Nfknmd32.exe
        
        C:\Windows\system32\Nfknmd32.exe
        17⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4076
        
        C:\Windows\SysWOW64\Nkhfek32.exe
        
        C:\Windows\system32\Nkhfek32.exe
        18⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3648
        
        C:\Windows\SysWOW64\Nconfh32.exe
        
        C:\Windows\system32\Nconfh32.exe
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\SysWOW64\Ndpjnq32.exe
        
        C:\Windows\system32\Ndpjnq32.exe
        20⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\SysWOW64\Nkjckkcg.exe
        
        C:\Windows\system32\Nkjckkcg.exe
        21⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\SysWOW64\Ohncdobq.exe
        
        C:\Windows\system32\Ohncdobq.exe
        22⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4324
        
        C:\Windows\SysWOW64\Okmpqjad.exe
        
        C:\Windows\system32\Okmpqjad.exe
        23⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2364
        
        C:\Windows\SysWOW64\Ocdgahag.exe
        
        C:\Windows\system32\Ocdgahag.exe
        24⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1316
        
        C:\Windows\SysWOW64\Ohqpjo32.exe
        
        C:\Windows\system32\Ohqpjo32.exe
        25⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\Ookhfigk.exe
        
        C:\Windows\system32\Ookhfigk.exe
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2980
        
        C:\Windows\SysWOW64\Ocfdgg32.exe
        
        C:\Windows\system32\Ocfdgg32.exe
        27⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2436
        
        C:\Windows\SysWOW64\Odgqopeb.exe
        
        C:\Windows\system32\Odgqopeb.exe
        28⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:764
        
        C:\Windows\SysWOW64\Okailj32.exe
        
        C:\Windows\system32\Okailj32.exe
        29⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2764
        
        C:\Windows\SysWOW64\Obkahddl.exe
        
        C:\Windows\system32\Obkahddl.exe
        30⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5064
        
        C:\Windows\SysWOW64\Oheienli.exe
        
        C:\Windows\system32\Oheienli.exe
        31⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2044
        
        C:\Windows\SysWOW64\Okceaikl.exe
        
        C:\Windows\system32\Okceaikl.exe
        32⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3632
        
        C:\Windows\SysWOW64\Ofijnbkb.exe
        
        C:\Windows\system32\Ofijnbkb.exe
        33⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:404
        
        C:\Windows\SysWOW64\Ohhfknjf.exe
        
        C:\Windows\system32\Ohhfknjf.exe
        34⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2656
        
        C:\Windows\SysWOW64\Okfbgiij.exe
        
        C:\Windows\system32\Okfbgiij.exe
        35⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2080
        
        C:\Windows\SysWOW64\Ocmjhfjl.exe
        
        C:\Windows\system32\Ocmjhfjl.exe
        36⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2796
        
        C:\Windows\SysWOW64\Pdngpo32.exe
        
        C:\Windows\system32\Pdngpo32.exe
        37⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1492
        
        C:\Windows\SysWOW64\Pmeoqlpl.exe
        
        C:\Windows\system32\Pmeoqlpl.exe
        38⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4356
        
        C:\Windows\SysWOW64\Podkmgop.exe
        
        C:\Windows\system32\Podkmgop.exe
        39⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1912
        
        C:\Windows\SysWOW64\Pfncia32.exe
        
        C:\Windows\system32\Pfncia32.exe
        40⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3952
        
        C:\Windows\SysWOW64\Pilpfm32.exe
        
        C:\Windows\system32\Pilpfm32.exe
        41⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5024
        
        C:\Windows\SysWOW64\Pkklbh32.exe
        
        C:\Windows\system32\Pkklbh32.exe
        42⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:752
        
        C:\Windows\SysWOW64\Pcbdcf32.exe
        
        C:\Windows\system32\Pcbdcf32.exe
        43⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4548
        
        C:\Windows\SysWOW64\Piolkm32.exe
        
        C:\Windows\system32\Piolkm32.exe
        44⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1680
        
        C:\Windows\SysWOW64\Pkmhgh32.exe
        
        C:\Windows\system32\Pkmhgh32.exe
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1772
        
        C:\Windows\SysWOW64\Pfbmdabh.exe
        
        C:\Windows\system32\Pfbmdabh.exe
        46⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:1500
        
        C:\Windows\SysWOW64\Piaiqlak.exe
        
        C:\Windows\system32\Piaiqlak.exe
        47⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:788
        
        C:\Windows\SysWOW64\Pokanf32.exe
        
        C:\Windows\system32\Pokanf32.exe
        48⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\Windows\SysWOW64\Pfeijqqe.exe
        
        C:\Windows\system32\Pfeijqqe.exe
        49⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1480
        
        C:\Windows\SysWOW64\Pmoagk32.exe
        
        C:\Windows\system32\Pmoagk32.exe
        50⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4220
        
        C:\Windows\SysWOW64\Pomncfge.exe
        
        C:\Windows\system32\Pomncfge.exe
        51⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3600
        
        C:\Windows\SysWOW64\Pbljoafi.exe
        
        C:\Windows\system32\Pbljoafi.exe
        52⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:3976
        
        C:\Windows\SysWOW64\Qejfkmem.exe
        
        C:\Windows\system32\Qejfkmem.exe
        53⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5096
        
        C:\Windows\SysWOW64\Qppkhfec.exe
        
        C:\Windows\system32\Qppkhfec.exe
        54⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2268
        
        C:\Windows\SysWOW64\Qbngeadf.exe
        
        C:\Windows\system32\Qbngeadf.exe
        55⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1916
        
        C:\Windows\SysWOW64\Qihoak32.exe
        
        C:\Windows\system32\Qihoak32.exe
        56⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2720
        
        C:\Windows\SysWOW64\Qkfkng32.exe
        
        C:\Windows\system32\Qkfkng32.exe
        57⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4988
        
        C:\Windows\SysWOW64\Aflpkpjm.exe
        
        C:\Windows\system32\Aflpkpjm.exe
        58⤵
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:348
        
        C:\Windows\SysWOW64\Amfhgj32.exe
        
        C:\Windows\system32\Amfhgj32.exe
        59⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2832
        
        C:\Windows\SysWOW64\Apddce32.exe
        
        C:\Windows\system32\Apddce32.exe
        60⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2144
        
        C:\Windows\SysWOW64\Afnlpohj.exe
        
        C:\Windows\system32\Afnlpohj.exe
        61⤵
        Adds autorun key to be loaded by Explorer.exe on startup
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:4272
        
        C:\Windows\SysWOW64\Amhdmi32.exe
        
        C:\Windows\system32\Amhdmi32.exe
        62⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=1284 /prefetch:8
1⤵
PID:5460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Ldkhlcnb.exe

Filesize
64KB

MD5
53fed6d87744b50f8978f726ae9acd25

SHA1
8a9b7459766773d94eaa6039611f58a753cb653c

SHA256
367f0199ad253dd72a6321a9f0bb117aeb4fb2e386ae7197fa503ae254e31bfa

SHA512
6c9e9a752a2f894bb6d376f5d6571a842b0454c188b4ca8eaa7a1cc94d19a05a68af16061c1ab324db6a59487537631c07196da5ffaaa9c03a2b5ccabf2fca31

Download Submit
C:\Windows\SysWOW64\Lkcccn32.exe

Filesize
64KB

MD5
515c7bef76c3154e76a66b6feb4ad6d1

SHA1
c69eae60f26d67ba9fa5bdffcc8af928161d8a06

SHA256
b5d7a8b037564db73d413ed4b4b1a04465d735e68d98055bb58a221b2b3acfa6

SHA512
fe05e37e50069a80cde2703e989f5240b768c4c4b4f6da9ad3b3fc95df7f7d2616b83f383fbaac0b7cd84f556cf502431441b09287ac1f4e819bf95762e6e3b4

Download Submit
C:\Windows\SysWOW64\Maoifh32.exe

Filesize
64KB

MD5
904894fdeafd780ee15497f751b801bd

SHA1
b56cb09c7e49c48999784261c0fc8508a790b307

SHA256
31679d013f9ea4daa31a81bbeec2fa651172fcd363c4f45b636c6c95f61727ab

SHA512
e9a62365e5428b0d9cf91933bda8ac8bbc4b0c3749f91eed25d055a7271bdc23b3dcd9960650d9b2f1d90acf3382b3c6908f732bf49c57623912434ada41f465

Download Submit
C:\Windows\SysWOW64\Mdghhb32.exe

Filesize
64KB

MD5
9f606a5888b007dec77cbcb44a7d43b3

SHA1
64dbca3be68a7409225ab3288ffdfd95cec78392

SHA256
0b15984999b457fc8e8c061e164b9aa8d61e6b0c978b32c50224f1ecbb59ab42

SHA512
4029f9ad0add9e306806952989a576e66e47aedbba01dc2d675b8ca3716c3c73f84b76741ce54cae07b8c2fa851efeb49c4bc6bcd572c5ec1622885cfb89e6a0

Download Submit
C:\Windows\SysWOW64\Mdnebc32.exe

Filesize
64KB

MD5
3ffb567e9d262d34251852fdd796d7bd

SHA1
5b7aee016a14575c0cc1e7343ca75a95856b03bf

SHA256
2290a3fb276a75b8434427fbb444c305217bee17551ba63e0b376d5d9ad87c08

SHA512
bcfb9f9b12017af3c552bf153306f2e4ac0a926c6ee4d40d5072583b979508f42351d72d42efdbc5c533bf5905d4842668445a5fbf3dba7f65bf737f5b2b5cd7

Download Submit
C:\Windows\SysWOW64\Mkocol32.exe

Filesize
64KB

MD5
9920e67aa5a102a6fa4084ff05d6046d

SHA1
8cd6c80af1ae7c7e0e51dd08c01def14b6905917

SHA256
1c6c3bc1854dedc972ee378c5efb40b95a2751af255e6929893fa5a071c5db5e

SHA512
b302567130b42f8ec4ade6c619bb7c56bcdeed6c577eb0fe687fd6d2ceae37dedb77b95da977fa853cc03ea773b552d80628078df5c69373d50a9238d47eda20

Download Submit
C:\Windows\SysWOW64\Mlbpma32.exe

Filesize
64KB

MD5
42f7ef2e76a4b7dc66a326aee1eef4ba

SHA1
cb0ba7a50c46c615ce15133aeee35983dc27b8f8

SHA256
9a05c3b2766f2e72c0ea00f18dd3303305dbd2432b62ac56f14024ca95a75fe3

SHA512
4bdcc0925626709a9ec64318a9468723e31b39dbd38b0c0c4f3723926230ca54496d81e767c1210a4e15baa0286320177088e51fe701a409d06201e37f9f6073

Download Submit
C:\Windows\SysWOW64\Nakhaf32.exe

Filesize
64KB

MD5
922ecaf4bf4e62a4e22b48b433e7e8be

SHA1
be6514cd56c1dfe32875f6562d58155262a21a4f

SHA256
fbc090eb14949d254e39c94414474e8137128a24af831416dd737e432fd183c3

SHA512
6776673f1087c5ef7c6b98b5ac2f94d1ba48e0c46836da71ed2bbbf2989f3f350143f4ea9335a9ef07a3cda1c744247eef88757f8c33a9f9f2d206ec20b56dcb

Download Submit
C:\Windows\SysWOW64\Napameoi.exe

Filesize
64KB

MD5
e02db9de6101a8ca1b7531cbd1773559

SHA1
dec5adf0fdccf34f4d27a8483e2d632831705643

SHA256
5e4ff9aafd49229c826ff8bae1453cfe6335f14b018c81c33ed5d05752db3ded

SHA512
0da40e6da4394e50be54e6ca9f4be73c0e27fd70e0b6ecf5f5c332f38876e9ea022b798a442d959ac3ed4ddbba95f3962d0f570641ce130b5ea9e7574604b69f

Download Submit
C:\Windows\SysWOW64\Ncjdki32.exe

Filesize
64KB

MD5
f398b439bbc094a9f9f83b88eec9d5e5

SHA1
784254f02bffc7c54a579022f80f34adc70bc25b

SHA256
7e63271f9ceb86374f0a0bd65f09e023ab42b0a0e86d1600fe4d0117212da0d7

SHA512
b9f3f2e367b21f05331d5fc18184aa17b9f2a593c92d2c257499532cc4cc952d8b7cc4ca1be42cc984ec39b94603168c68cd3ed8448a8aa82b1a7673d6073012

Download Submit
C:\Windows\SysWOW64\Nconfh32.exe

Filesize
64KB

MD5
e967b698601ed94034af841f030bb0f1

SHA1
7fc5c67e2f0b8966fe0117648a40dbdc7a583ae3

SHA256
a5fcf15ab0319e884c5bc4edcd93c6a6a4940992919c076f6db9147738080c1d

SHA512
d142357d91ef625036f5bc23b9d11c8f8db4876de25d2d88331552b5d41bd4f9db6f78e099b73dfedf471a1838ae4131c831321595802aa1f5dee5063518ce0c

Download Submit
C:\Windows\SysWOW64\Ndlacapp.exe

Filesize
64KB

MD5
528c565878d832ac071b331df375b9f1

SHA1
ad40b40c15a8b3431eb71db5c4393e293b3b8ed0

SHA256
384852ae5fec6c21c53edff3f65b4252985680526c585a215147e590775af483

SHA512
22b62bc419b24a9c1491aea8d20c088990a2302d5c52ec89d8c846ad166f50a1fa0aa21492d1e11dcb35f2a4ca7b4509ae400d15701c5f3268f58bb12b69ee3d

Download Submit
C:\Windows\SysWOW64\Ndpjnq32.exe

Filesize
64KB

MD5
6765d8483b68b18069aa48c9e23aaec3

SHA1
f4a0c1dcc275395bd05f227ff8b049ca19831ae1

SHA256
999ed7cabcdec01a90d19ac12a472dabd19227c5c29dcac7889019e8cc1ff344

SHA512
5d014c04caf45235a5265dd0962a746af4bed6bb8871782fe6acba9f63595f1b8330b29ddaa0542453170b2e9309ea90f4435b027eabca98cb7d8019f8cf9cde

Download Submit
C:\Windows\SysWOW64\Nefdbekh.exe

Filesize
64KB

MD5
91af201a8951d78ba5955414b700e3ab

SHA1
46aeb08d9d24131ca5064bdc8ac89fc9c3a3d26e

SHA256
72962f59019db3b0f516114413d864a3497782f328639c62e015dbfa27b22604

SHA512
d04cf7d997b0f94a7ee71313bf4151afc59e897075a7da0e7169f596782b4fdf0c4be23aa1d17629a0eb3604b856b8fec3843aeb410bc894c0e39b799ecdfc91

Download Submit
C:\Windows\SysWOW64\Nfknmd32.exe

Filesize
64KB

MD5
f8482e87067671a1ef7bcd82cb6fae61

SHA1
4ca2e32c8d2d4325b7c7616b619def3a25e0a66c

SHA256
be28d934fff169376b86a08b3a8f5f708b3509657e845ae1b82cb03e2d39b3fb

SHA512
af6d14c4653900dc3174aa5cfd3b77192da05a72850a1cfd76d2ea161728c1f1547af3e2a11f160aaa68421ed28ab103a876a9822c468241fe99d6ce1c657189

Download Submit
C:\Windows\SysWOW64\Nkapelka.exe

Filesize
64KB

MD5
b91b45a8fb6c6ddfbb4b976a8e64ce90

SHA1
3e399e4bcadfeee3c0956d0ac3fbddcfb5d2a0c6

SHA256
e53138755c726d7bbec70672c4484a786552eda74552eed56a839092fcd2fffb

SHA512
910fc91f75f554180dc2601134bc0dbd585b85babdd80fec15426f45265ac21bb04f81380f047f6f94119beacfd03d205f9532d112a8fcfca0088264815168d8

Download Submit
C:\Windows\SysWOW64\Nkhfek32.exe

Filesize
64KB

MD5
5f0a6974a8299fc945bb87b191659747

SHA1
1d3c7f80fa26bf33a1b526be7b97b36c3288054c

SHA256
39b55af9bd69605794be14ab7d00dfafcbd058bbea145cf1b061aecfdab1768c

SHA512
5f05d93e5a42a1c7ea0fee6319debe26f6f1de94061607625cc9489ece83b1641659cdfada035a9708a01d3bb2c156d83a375dc5948c2654dad2942af92aafe4

Download Submit
C:\Windows\SysWOW64\Nkjckkcg.exe

Filesize
64KB

MD5
aac7e02bd266cdb8d294c9396631bf67

SHA1
71cd9396c8a5cc2ff16f664991043136a6d06ab2

SHA256
5022aed138df71b3e55ebf7e593bf3930fcb0350cf17f716c832be81664d5239

SHA512
a639deb5655adb3f0afd209ce6b8e424af99b2ac0a7f5e6b3b09c8df071dc5c8e944b75476db313c5acb6d6f3f7f3db6c262dc96bcf0900879c7d84430d76268

Download Submit
C:\Windows\SysWOW64\Nlcidopb.exe

Filesize
64KB

MD5
ead1952389eb1fad441d45dec71c69ab

SHA1
48fc4254a3846d875c4fd408a27b8f3492725415

SHA256
8fa35f129f40bde9b1af78dd7d8910e0d7f5e2b629ff074976d32f152aec3f0d

SHA512
bf8dda7ddcaccd541a91bda996a1ca7fde3d43bafd0be43a35636752f7d0466d54e1cd5866c5c9b3b418c9ecd2cc4793bf7b707e7e56b414052391b16a79c719

Download Submit
C:\Windows\SysWOW64\Nooikj32.exe

Filesize
64KB

MD5
8363107a9e001c3a4204633b2d667624

SHA1
e69435137b14d2afa6f9e55734a04865f34cae5b

SHA256
6b86089769056d72416e69f5afb3c2e7d5fd0bf2c7fbe33f296f212eb6c20bc7

SHA512
9309c92771b4914dc851aa979a510e9f6085a01d8dc2b89338b8822d0c684f1980f2bc737ddb13b6b451c6a1f3efe1a82c026eddd683b31ad38a26e334a8b525

Download Submit
C:\Windows\SysWOW64\Obkahddl.exe

Filesize
64KB

MD5
006436d26c228c02117f771e0913a2a4

SHA1
c5462659277ab24aef06b4e2ac047fffa4637457

SHA256
bf7f427f32e64304c88674b5d74c166f0e768d99bb128e079d318849d49cdf9e

SHA512
644c02596e48bcb38bd9c10043e3a5ec1268cdb95168667f2bafb2103a7d80f54b27fff6ded5d726925d04c20a358711b27755ede83f607aea7882bbae67c28d

Download Submit
C:\Windows\SysWOW64\Ocdgahag.exe

Filesize
64KB

MD5
cd264b2dfd53f72e34ff8d8f3f7080e6

SHA1
8ced6de8b1bd939450dfe40c6bf4078e389e8073

SHA256
7788b84c744677b6224294e6301cde0e00441d378613297e43c487c666cb2bf2

SHA512
c41bec6f1cc9e41672e35a85322206b76b8f2130552d4a6bfdbb2507a1bfeba77643d6a804fc19b396a074093fd528c22d44b62d416dce31616e75c0aba247c4

Download Submit
C:\Windows\SysWOW64\Ocfdgg32.exe

Filesize
64KB

MD5
88b1cf3f29353d69e03b24afa5338f0f

SHA1
0dec8002cc669d1688fb61b507f55b1b16d0e572

SHA256
c3be1796d39e274d900103cf8f65d0ad9278e8367dee14a30f2332af6a68a854

SHA512
40a38e8055fd5e6a7e6057032980b56df44d9ceaf2377314cba82d5059aae7bdc7d318bb3f65e9cc63861bfb6815c735f9689f6e5bb2f2ab208bd83816c4d3df

Download Submit
C:\Windows\SysWOW64\Odgqopeb.exe

Filesize
64KB

MD5
f2823d34131d3eaea554da6a008a8455

SHA1
05dc14a9c9e2d73d150c63916c0f8125e5879411

SHA256
4e1b881cf759ce1892b33408dfd671f1b5b1120aac99f1975d7d29daba3a6faf

SHA512
9012b317ccdbca7e77f601eacc3b32cbc870c46f233993f1b1356b37f9cede52d7c446260d68278959f6e7553af887f5405a48922f5a12952a6db286d8ebd4fc

Download Submit
C:\Windows\SysWOW64\Ofijnbkb.exe

Filesize
64KB

MD5
6cbabdd2d9614eb53f48be732256ae11

SHA1
1f659cbd97d404d92ac3ea6faf70ffab6f07a76d

SHA256
c7f6f7185a102aaf9e3f6e8704d87564cf40f4de3fb076cfeb947108e54cc765

SHA512
7a3536f7be9a6d67d6c435e3acccfa97981e76569a17bcc11bdf4e5c686c11e1f973fb2b6bdeb542b08163750b9a126f28616393355ef8ab8ab0a24c01ceb9e3

Download Submit
C:\Windows\SysWOW64\Oheienli.exe

Filesize
64KB

MD5
95a82ed20dd2da38552136f78dce6a7a

SHA1
8da638bc677735e56c1310bf97b153da300c767a

SHA256
d6a066b04a2efa6c6366331c209925b7ef187f6d48b121e1a9c671a8ba9cbae2

SHA512
02662ea4388825771b31627c511e4693d7861fcc833604fc38b8f44bfcc0fdfd7edf2378497d24c7d6ebb4e1c4aff14ce1c71f124c13d2095643babc4b23e35c

Download Submit
C:\Windows\SysWOW64\Ohncdobq.exe

Filesize
64KB

MD5
2c6f1ca2ca823ad9aae9be2eab8a581a

SHA1
c76c70538acc60327bc3300482645cbdfcadef90

SHA256
a1659778b3dd7493686eb6ce341acb9a2f826f32d0acb783fc2ce7129de78f46

SHA512
14b3ca99633a339458092222cdb04fcb04fb8046af95272d79a30fe10077570261ed24c547fca8b1f0b435b1185efa6ba6a6ce5328fe23051e7da5b98d6bd20a

Download Submit
C:\Windows\SysWOW64\Ohqpjo32.exe

Filesize
64KB

MD5
eb5383d681af8491982cc9f51790c52c

SHA1
e9483325a3b94409316cdeff361b4a371657260c

SHA256
c6adb9e44b549539964648fd7765c756cb240fbe6ad6c3963611f01730a2d95a

SHA512
ffea0ad3a851026298174874489c64de8785cc513daaf395eceec0cbd367e747e44dbf758d6a59a481d6fe587b3687e87fae66561576e48ac45f8f95ca2fd6ef

Download Submit
C:\Windows\SysWOW64\Okailj32.exe

Filesize
64KB

MD5
3ed2d570384fff3a8539d78a18d3c073

SHA1
cbd150ea9bc4e72711b837a0a0882c10c2c1e1e1

SHA256
4f933f74fec43c6dc722ee0565efc86d26f15227020a00facff46e37e960f0cf

SHA512
1659319f622dc6394759f00b7450745435adc36887ba1593343f24cb2e2b8913883c613d0f99d13b2c0d654c883b3e9f6248cd6e09d40c39b87e612e703043e7

Download Submit
C:\Windows\SysWOW64\Okceaikl.exe

Filesize
64KB

MD5
ec5a8f95cf2737b0b138035be70f34c3

SHA1
9834b10e20aae4a42a8a0967e049f02f88aa6e56

SHA256
b891b2377faecf662c1a748e83cd2d1370087e65fc495233e644755c308218a6

SHA512
0ad68ff0b6289f19557a43eecb58dbb93279c611e5ee3bc10750afc6250db38812bfbcd0e243992ee494789d72d7cc44ca9b0c7b5424f61847e8a5a0c7bf8c16

Download Submit
C:\Windows\SysWOW64\Okmpqjad.exe

Filesize
64KB

MD5
33554a392d7e51c1b3d08023c039e02f

SHA1
3a1d11791c3e58a79ee1ea5368023f44ef785ae0

SHA256
6ebc8e5e5a732bf7d14d093f92c23c755935e23fe6980a7da6aefd052642d023

SHA512
40855e924b48519265ea71772fb1d4ac46a4fb649442172e1b3ad17e01e77e05ed7e5610a5bfb608611aabccbcff44e44551eb88556d51e54b402f066764d6ed

Download Submit
C:\Windows\SysWOW64\Ookhfigk.exe

Filesize
64KB

MD5
30e881c6b3d7a79b1dc419be6789c95d

SHA1
2972f8026bf727f606e0ed16e28641e803335198

SHA256
857756fe4e5951fd5a08a812fbd56eddc22bd5097518231931934406831729ad

SHA512
53578aa918c2644253702e9d21e796d9267fec4e599ac4f137a8ced68b5e9ee4f006b2296ef231eac3891cd7a66ee6308b62290650030b45c080aa13f2146f2f

Download Submit
C:\Windows\SysWOW64\Pkmhgh32.exe

Filesize
64KB

MD5
b280acaf1c2e02ba776626079640f22b

SHA1
6cb9c5e2e0e6213f3f6e044a615809abb85cc7ce

SHA256
631e2f0d2fb99e658dca2d4fc9b632e7ee527c859695944911cc8211a9447d58

SHA512
9bcd692ca9b3f7269251f3493b958f6ceaf93224860e9074f94724b6420b168c75d3e2831fbe1bba09a8f7ca64f4d5eb15559ecf6b6279c9fe21de4985a99ad3

Download Submit
C:\Windows\SysWOW64\Qejfkmem.exe

Filesize
64KB

MD5
7c0986e08a94efd77990b05cc3024f0b

SHA1
7e9cec7a6a65184542ffef2fed23985be315eaf6

SHA256
b9f9abb99bbf132b603644dce66a3a71f60e5db6a646869deaed86ade34f88b5

SHA512
e489759c9d59525b1174d714f7fd620270ac9ff7877c5de015200c65be7ac152a9d8fc42e9a78ac7d8af98a411742f257b4f636cf936b46de5e18d7b60cf0c55

Download Submit
memory/212-433-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/212-8-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/312-113-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/312-446-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/348-407-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-463-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/404-256-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/408-434-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/752-311-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-458-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/764-216-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/788-341-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-432-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1048-1-0x0000000000431000-0x0000000000432000-memory.dmp

Filesize
4KB

Download
memory/1048-0-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-185-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1316-454-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1480-353-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1492-281-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1500-335-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1548-431-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1680-323-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1772-329-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1912-293-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1916-389-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-64-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2028-440-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-240-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2044-461-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2080-273-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2144-419-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2268-383-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-97-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2288-444-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-453-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2364-177-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-438-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2380-48-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-457-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2436-209-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-40-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2440-437-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-450-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2628-144-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-464-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2656-263-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2720-399-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-459-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2764-224-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-160-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2788-451-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2796-275-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2832-413-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-105-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2896-445-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-200-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2980-456-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-192-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3096-455-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-80-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3208-442-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-89-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3320-443-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3600-369-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-462-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3632-248-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3648-449-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3680-347-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3952-303-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3976-371-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4028-439-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-448-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4076-129-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-121-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4092-447-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4220-359-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-24-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4232-435-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4272-425-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-436-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4292-33-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-169-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4324-452-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4356-287-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4484-157-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4548-317-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-73-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4744-441-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4988-401-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5024-305-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-460-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5064-232-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/5096-377-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads